Safety operation configuration for computer assisted vehicle

ABSTRACT

Embodiments include apparatuses, methods, and systems for computer assisted or autonomous driving. An apparatus may include a storage and a safety operation controller disposed in a computer assisted or autonomous driving vehicle. The storage may store a safety operation configuration and a list of safety operations to be performed on one or more device components. The safety operation configuration and the list of safety operations may be provided by a first party. The safety operation configuration may be used to configure selected ones of the list of safety operations by a second party different from the first party to obtain configured safety operations to be performed on the one or more device components. The safety operation controller may perform the configured safety operations on the one or more device components. Other embodiments may also be described and claimed.

FIELD

Embodiments of the present disclosure relate generally to the technicalfields of computing, computer assisted or autonomous driving, and moreparticularly to safety operations for a computer device in a computerassisted or autonomous driving vehicle.

BACKGROUND

The background description provided herein is for the purpose ofgenerally presenting the context of the disclosure. Unless otherwiseindicated herein, the materials described in this section are not priorart to the claims in this application and are not admitted to be priorart by inclusion in this section.

Functional safety is an important consideration for computer assisted orautonomous driving vehicles and many other applications. Variousstandard bodies, e.g., the International Organization forStandardization (ISO), have developed standards for the computerassisted or autonomous driving vehicle industry. For example, the ISO26262 standard, titled “Road vehicles—Functional safety,” is aninternational standard for functional safety of electrical and/orelectronic systems in computer assisted or autonomous driving vehicles.The ISO 26262 standard may specify various safety levels, e.g.,Automotive Safety Integrity Level (ASIL) A, B, C or D. Originalequipment manufacturers (OEMs) may have the flexibility to meet thevarious ASIL levels of the ISO 26262 standard. The flexibility for theOEMs may post challenges for product providers to meet the differentASIL levels of the ISO 26262 standard.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments will be readily understood by the following detaileddescription in conjunction with the accompanying drawings. To facilitatethis description, like reference numerals designate like structuralelements. Embodiments are illustrated by way of example and not by wayof limitation in the figures of the accompanying drawings.

FIG. 1 illustrates an example apparatus for computer assisted orautonomous driving, where the apparatus includes a safety operationcontroller and a safety operation configuration, in accordance withvarious embodiments.

FIG. 2 illustrates another example apparatus for computer assisted orautonomous driving, where the apparatus includes a safety operationcontroller and a safety operation configuration, in accordance withvarious embodiments.

FIG. 3 illustrates an example process for safety operations to beperformed by an apparatus for computer assisted or autonomous driving,in accordance with various embodiments.

FIG. 4 illustrates another example process for safety operations to beperformed by an apparatus for computer assisted or autonomous driving,in accordance with various embodiments.

FIG. 5 illustrates an example computer device suitable for use topractice various aspects of the present disclosure, in accordance withvarious embodiments.

FIG. 6 illustrates a storage medium having instructions for practicingmethods described with references to FIGS. 1-5, in accordance withvarious embodiments.

FIG. 7 illustrates an environment in which various embodiments describedwith references to FIGS. 1-6 may be practiced.

DETAILED DESCRIPTION

A computer assisted or autonomous driving vehicle may include manydevice components manufactured by different parties. Functional safetyis an important consideration for computer assisted or autonomousdriving vehicles. In order to meet the various safety levels, e.g.,Automotive Safety Integrity Level (ASIL) A, B, C or D, specified in theISO 26262 standard, device components in a computer assisted orautonomous driving vehicle may be developed by a long, strict, andstructured process. Often the device components may not be flexible andcannot be easily changed without compromising the safety operations.

Embodiments herein may present a modular safety operation infrastructureincluding a safety operation controller, a safety operationconfiguration, and a list of safety operations to be performed on one ormore device components of a computer assisted or autonomous drivingvehicle. The safety operation configuration and the list of safetyoperations may be provided by a first party. The safety operationconfiguration may be used to configure selected ones of the list ofsafety operations by a second party different from the first party toobtain configured safety operations to be performed on the one or moredevice components. In embodiments, the first party may provide thevarious device components, while the second party may utilize the devicecomponents and configure the safety operations of the device componentswithout changing the device components. For example, the modular safetyoperation infrastructure, including the safety operation controller, thesafety operation configuration, and the list of safety operations mayprovide original equipment manufacturers (OEMs) a solution to configurefunctional safety policies without changing the system code and withoutcompromising the safety level. An OEM may configure their functionalsafety solution as they see fit, monitor their environment and operateaccordingly without changing the safety operations themselves. Such asafety operation infrastructure may reduce the time for development,integration, and debug and field support for the OEMs. Even though themodular safety operation infrastructure herein is presented for computerassisted or autonomous driving vehicles, it may be applicable to otherindustrial functional safety systems as well.

In embodiments, an apparatus for computer assisted or autonomous drivingmay include a storage and a safety operation controller disposed in acomputer assisted or autonomous driving vehicle. The storage may store asafety operation configuration and a list of safety operations to beperformed on one or more device components of the computer assisted orautonomous driving vehicle. The safety operation configuration and thelist of safety operations may be provided by a first party. The safetyoperation configuration may be used to configure selected ones of thelist of safety operations by a second party different from the firstparty to obtain configured safety operations to be performed on the oneor more device components. The safety operation controller may performthe configured safety operations on the one or more device components inaccordance with the configured safety operations.

In embodiments, a method for safety operations for computer assisted orautonomous driving may include: providing, by a first party, a safetyoperation configuration and a list of safety operations to be performedon one or more device components of a computer assisted or autonomousdriving vehicle; configuring, by a second party different from the firstparty through the safety operation configuration, selected ones of thelist of safety operations to obtain configured safety operations to beperformed on the one or more device components. The method may furtherinclude more operations performed by a safety operation controller:performing the configured safety operations on the one or more devicecomponents; monitoring a failure from the one or more device components;receiving an error message from the one or more device components;responding to the error message; performing recovery from the failure;and notifying a host or a platform processor coupled to the safetyoperation controller the failure based on the error message.

In embodiments, an apparatus for computer assisted or autonomous drivingmay include a storage and a safety operation controller disposed in acomputer assisted or autonomous driving vehicle. The storage may store asafety operation configuration and a list of safety operations to beperformed on one or more device components of the computer assisted orautonomous driving vehicle. The safety operation configuration and thelist of safety operations may be provided by a first party. The safetyoperation configuration may be used to configure selected ones of thelist of safety operations by a second party different from the firstparty to obtain configured safety operations to be performed on the oneor more device components. The safety operation controller may performthe configured safety operations on the one or more device components inaccordance with the configured safety operations. The safety operationcontroller may include a safety operation scheduler and an errorhandler. The safety operation scheduler may perform the configuredsafety operations on the one or more device components, receive an errormessage from the one or more device components, and monitor a failurefrom the one or more device components. In addition, the error handlermay respond to the error message, perform recovery from the failure, andnotify a host or a platform processor the failure based on the errormessage.

In the description to follow, reference is made to the accompanyingdrawings that form a part hereof wherein like numerals designate likeparts throughout, and in which is shown by way of illustrationembodiments that may be practiced. It is to be understood that otherembodiments may be utilized and structural or logical changes may bemade without departing from the scope of the present disclosure.Therefore, the following detailed description is not to be taken in alimiting sense, and the scope of embodiments is defined by the appendedclaims and their equivalents.

Operations of various methods may be described as multiple discreteactions or operations in turn, in a manner that is most helpful inunderstanding the claimed subject matter. However, the order ofdescription should not be construed as to imply that these operationsare necessarily order dependent. In particular, these operations may notbe performed in the order of presentation. Operations described may beperformed in a different order than the described embodiments. Variousadditional operations may be performed and/or described operations maybe omitted, split or combined in additional embodiments.

For the purposes of the present disclosure, the phrase “A or B” and “Aand/or B” means (A), (B), or (A and B). For the purposes of the presentdisclosure, the phrase “A, B, and/or C” means (A), (B), (C), (A and B),(A and C), (B and C), or (A, B and C).

The description may use the phrases “in an embodiment,” or “inembodiments,” which may each refer to one or more of the same ordifferent embodiments. Furthermore, the terms “comprising,” “including,”“having,” and the like, as used with respect to embodiments of thepresent disclosure, are synonymous.

As used hereinafter, including the claims, the term “module” or“routine” may refer to, be part of, or include an Application SpecificIntegrated Circuit (ASIC), an electronic circuit, a processor (shared,dedicated, or group) and/or memory (shared, dedicated, or group) thatexecute one or more software or firmware programs, a combinational logiccircuit, and/or other suitable components that provide the describedfunctionality.

Where the disclosure recites “a” or “a first” element or the equivalentthereof, such disclosure includes one or more such elements, neitherrequiring nor excluding two or more such elements. Further, ordinalindicators (e.g., first, second or third) for identified elements areused to distinguish between the elements, and do not indicate or imply arequired or limited number of such elements, nor do they indicate aparticular position or order of such elements unless otherwisespecifically stated.

The terms “coupled with” and “coupled to” and the like may be usedherein. “Coupled” may mean one or more of the following. “Coupled” maymean that two or more elements are in direct physical or electricalcontact. However, “coupled” may also mean that two or more elementsindirectly contact each other, but yet still cooperate or interact witheach other, and may mean that one or more other elements are coupled orconnected between the elements that are said to be coupled with eachother. By way of example and not limitation, “coupled” may mean two ormore elements or devices are coupled by electrical connections on aprinted circuit board such as a motherboard, for example. By way ofexample and not limitation, “coupled” may mean two or moreelements/devices cooperate and/or interact through one or more networklinkages such as wired and/or wireless networks. By way of example andnot limitation, a computing apparatus may include two or more computingdevices “coupled” on a motherboard or by one or more network linkages.

As used herein, the term “circuitry” refers to, is part of, or includeshardware components such as an electronic circuit, a logic circuit, aprocessor (shared, dedicated, or group) and/or memory (shared,dedicated, or group), an Application Specific Integrated Circuit (ASIC),a field-programmable device (FPD), (for example, a field-programmablegate array (FPGA), a programmable logic device (PLD), a complex PLD(CPLD), a high-capacity PLD (HCPLD), a structured ASIC, or aprogrammable System on Chip (SoC)), digital signal processors (DSPs),etc., that are configured to provide the described functionality. Insome embodiments, the circuitry may execute one or more software orfirmware programs to provide at least some of the describedfunctionality.

As used herein, the term “processor circuitry” may refer to, is part of,or includes circuitry capable of sequentially and automatically carryingout a sequence of arithmetic or logical operations; recording, storing,and/or transferring digital data. The term “processor circuitry” mayrefer to one or more application processors, one or more basebandprocessors, a physical central processing unit (CPU), a single-coreprocessor, a dual-core processor, a triple-core processor, a quad-coreprocessor, and/or any other device capable of executing or otherwiseoperating computer-executable instructions, such as program code,software modules, and/or functional processes.

As used herein, the term “interface circuitry” may refer to, is part of,or includes circuitry providing for the exchange of information betweentwo or more components or devices. The term “interface circuitry” mayrefer to one or more hardware interfaces (for example, buses,input/output (I/O) interfaces, peripheral component interfaces, networkinterface cards, and/or the like).

As used herein, the term “computer device” may describe any physicalhardware device capable of sequentially and automatically carrying out asequence of arithmetic or logical operations, equipped to record/storedata on a machine readable medium, and transmit and receive data fromone or more other devices in a communications network. A computer devicemay be considered synonymous to, and may hereafter be occasionallyreferred to, as a computer, computing platform, computing device, etc.The term “computer system” may include any type interconnectedelectronic devices, computer devices, or components thereof.Additionally, the term “computer system” and/or “system” may refer tovarious components of a computer that are communicatively coupled withone another. Furthermore, the term “computer system” and/or “system” mayrefer to multiple computer devices and/or multiple computing systemsthat are communicatively coupled with one another and configured toshare computing and/or networking resources. Examples of “computerdevices”, “computer systems”, etc. may include cellular phones or smartphones, feature phones, tablet personal computers, wearable computingdevices, an autonomous sensors, laptop computers, desktop personalcomputers, video game consoles, digital media players, handheldmessaging devices, personal data assistants, an electronic book readers,augmented reality devices, server computer devices (e.g., stand-alone,rack-mounted, blade, etc.), cloud computing services/systems, networkelements, in-vehicle infotainment (IVI), in-car entertainment (ICE)devices, an Instrument Cluster (IC), head-up display (HUD) devices,onboard diagnostic (OBD) devices, dashtop mobile equipment (DME), mobiledata terminals (MDTs), Electronic Engine Management Systems (EEMSs),electronic/engine control units (ECUs), vehicle-embedded computerdevices (VECDs), autonomous or semi-autonomous driving vehicle(hereinafter, simply ADV) systems, in-vehicle navigation systems,electronic/engine control modules (ECMs), embedded systems,microcontrollers, control modules, engine management systems (EMS),networked or “smart” appliances, machine-type communications (MTC)devices, machine-to-machine (M2M), Internet of Things (IoT) devices,and/or any other like electronic devices. Moreover, the term“vehicle-embedded computer device” may refer to any computer deviceand/or computer system physically mounted on, built in, or otherwiseembedded in a vehicle.

As used herein, the term “network element” may be considered synonymousto and/or referred to as a networked computer, networking hardware,network equipment, router, switch, hub, bridge, radio networkcontroller, radio access network device, gateway, server, and/or anyother like device. The term “network element” may describe a physicalcomputing device of a wired or wireless communication network and beconfigured to host a virtual machine. Furthermore, the term “networkelement” may describe equipment that provides radio baseband functionsfor data and/or voice connectivity between a network and one or moreusers. The term “network element” may be considered synonymous to and/orreferred to as a “base station.” As used herein, the term “base station”may be considered synonymous to and/or referred to as a node B, anenhanced or evolved node B (eNB), next generation nodeB (gNB), basetransceiver station (BTS), access point (AP), roadside unit (RSU), etc.,and may describe equipment that provides the radio baseband functionsfor data and/or voice connectivity between a network and one or moreusers. As used herein, the terms “vehicle-to-vehicle” and “V2V” mayrefer to any communication involving a vehicle as a source ordestination of a message. Additionally, the terms “vehicle-to-vehicle”and “V2V” as used herein may also encompass or be equivalent tovehicle-to-infrastructure (V2I) communications, vehicle-to-network (V2N)communications, vehicle-to-pedestrian (V2P) communications, or V2Xcommunications

As used herein, the term “channel” may refer to any transmission medium,either tangible or intangible, which is used to communicate data or adata stream. The term “channel” may be synonymous with and/or equivalentto “communications channel,” “data communications channel,”“transmission channel,” “data transmission channel,” “access channel,”“data access channel,” “link,” “data link,” “carrier,” “radiofrequencycarrier,” and/or any other like term denoting a pathway or mediumthrough which data is communicated. Additionally, the term “link” mayrefer to a connection between two devices through a Radio AccessTechnology (RAT) for the purpose of transmitting and receivinginformation.

FIG. 1 illustrates an example apparatus 100 for computer assisted orautonomous driving, where the apparatus 100 may include a safetyoperation controller 101 and a safety operation configuration 133, inaccordance with various embodiments. For clarity, features of theapparatus 100, the safety operation controller 101, and the safetyoperation configuration 133 may be described below as an example forunderstanding an example apparatus for computer assisted or autonomousdriving, a safety operation controller, and a safety operationconfiguration. It is to be understood that there may be more or fewercomponents included in the apparatus 100, the safety operationcontroller 101, and the safety operation configuration 133. Further, itis to be understood that one or more of the devices and componentswithin the apparatus 100, the safety operation controller 101, and thesafety operation configuration 133 may include additional and/or varyingfeatures from the description below, and may include any devices andcomponents that one having ordinary skill in the art would considerand/or refer to as the devices and components of an apparatus forcomputer assisted or autonomous driving, a safety operation controller,and a safety operation configuration.

In embodiments, the apparatus 100 for computer assisted or autonomousdriving may include the safety operation controller 101 and a storage103 to store the safety operation configuration 133. The storage 103 maybe a replaceable flash memory coupled to the safety operation controller101. In addition, the apparatus 100 may include a device component 105,and a processor 107. The apparatus 100, including the storage 103 andthe safety operation controller 101, may be disposed in a computerassisted or autonomous driving vehicle, e.g., a computer assisted orautonomous driving vehicle 701 as shown in FIG. 7.

The storage 103 may include the safety operation configuration 133 and alist of safety operations 131, which are to be performed on one or moredevice components of a computer assisted or autonomous driving vehicle,e.g., the device component 105. The safety operation configuration 133and the list of safety operations 131 may be provided by a first party.The safety operation configuration 133 may be used to configure selectedones of the list of safety operations 131 by a second party differentfrom the first party to obtain configured safety operations 135 to beperformed on the one or more device components, e.g., the devicecomponent 105. The configured safety operations 135 may be stored in thestorage 103 as well. The safety operation controller 101 may perform theconfigured safety operations 135 on the one or more device components inaccordance with the configured safety operations.

In embodiments, the list of safety operations 131 may include memorybuilt-in-self-test (MBIST) operations, logic built-in-self-test (LBIST)operations, error injection operations, voltage monitoring operations,temperature monitoring operations, clock monitoring operations, softwareredundancy operations, software test libraries operations, or any othersafety operations.

In embodiments, the safety operation configuration 133 may be providedby a first party as an application programming interface (API). Thesafety operation configuration 133 may be used by a second party toenable or disable certain safety operations of the list of safetyoperations 131 to obtain the configured safety operations 135.Therefore, the second party can configure the safety operations throughthe safety operation configuration 133 without going through the detailsof the code of device components, hence maintaining the integrity of thedevice components. For example, through the safety operationconfiguration 133, the second party may turn off safety operations onthe device component 105.

In embodiments, the configured safety operations 135 may include orexclude selected ones of the list of safety operations 131. For example,the configured safety operations 135 may exclude safety operations of adevice component from the list of safety operations 131, when the devicecomponent may be turned off. The configured safety operations 135 mayfurther include a configured safety operation added to the list ofsafety operations 131 by the second party using the safety operationconfiguration 133.

In embodiments, the safety operation controller 101 may be implementedas software operated on the processor 107. In some other embodiments,the safety operation controller 101 may be implemented in circuitry,such as FPGA, an ASIC, or other dedicated processor or processor core.The safety operation controller 101 may perform the configured safetyoperations 135 on the one or more device components in accordance withthe configured safety operations, e.g., the device component 105. Inaddition, the safety operation controller 101 may monitor a failure fromthe one or more device components, receive an error message from the oneor more device components, respond to the error message, performrecovery from the failure, and notify a host or a platform processor thefailure based on the error message.

In embodiments, the processor 107 may include one or more centralprocessing unit (CPUs). In some embodiments, the processor 107, inaddition to the one or more CPUs, may include a programmable device(such as a hardware accelerator or a FPGA) that may implement the safetyoperation controller 101. In embodiments, the processor 107 may be amicrocontroller, a 16-bit processor, a 32-bit processor, a 64-bitprocessor, a single core processor, a multi-core processor, a digitalsignal processor, an embedded processor, or any other processor.

In embodiments, the device component 105 may include a centralprocessing unit (CPU), a direct memory access (DMA), a faultRobustnetwork (FRNET), a universal asynchronous receiver-transmitter (UART), ageneral-purpose input/output (GPIO), a serial peripheral interface(SPI), an inter-integrated circuit (I2C), a camera, an embeddedMultiMediaCard (EMMC), a voltage monitor, a clock monitor, or atemperature monitor. The device component 105 may be ASIL-Dcertificated. In some other embodiments, there may be more devicecomponents coupled to the safety operation controller 101, as shown inFIG. 2.

In embodiments, the apparatus 100 may be a system on chip (SoC),integrating the device component 105, the processor 107, the storage103, and the safety operation controller 101. The apparatus 100 mayfurther include cache, random access memory (RAM), peripheral functions,or other functions onto one chip. Alternatively, the apparatus 100 maybe a system integrated on a same circuit board to include the devicecomponent 105, the processor 107, the storage 103, the safety operationcontroller 101, and other components. The apparatus 100 may be forvarious applications such as wireless communication, digital signalprocessing, security, and other applications. For example, the apparatus100 may be a VECD, an ECU, an in-vehicle navigation system, a wearabledevice, a smartphone, a computer tablet, a laptop, a game controller, aset-top box, an infotainment console, an IoT device, or others.

FIG. 2 illustrates another example apparatus 200 for computer assistedor autonomous driving, where the apparatus 200 may include a safetyoperation controller 201 and a safety operation configuration 233, inaccordance with various embodiments. FIG. 3 illustrates an exampleprocess 300 for safety operations to be performed by the apparatus 200.The apparatus 200, the safety operation controller 201, and the safetyoperation configuration 233 may be similar to the apparatus 100, thesafety operation controller 101, and the safety operation configuration133, as shown in FIG. 1.

In embodiments, the apparatus 200 for computer assisted or autonomousdriving may include the safety operation controller 201 and a storage203 to store the safety operation configuration 233 and a list of safetyoperations 231. In addition, the apparatus 100 may include a devicecomponent 205, a device component 241, a device component 243, a devicecomponent 245, and a processor 207. The apparatus 200, including thestorage 203, the safety operation controller 201, the device component205, the device component 241, the device component 243, the devicecomponent 245, and the processor 207 may be disposed in a computerassisted or autonomous driving vehicle. The safety operation controller201 may include a safety operation scheduler 211 and an error handler213.

In embodiments, the device component 205 and the safety operationcontroller 201 may be on a same system-on-chip (SoC), and the devicecomponent 205 may be an intellectual property (IP) core integrated onthe SoC. In some other embodiments, there may be more than one devicecomponents, e.g., more IP cores, integrated on the SoC. In addition, thedevice component 241 may be a software component to be operated on thesafety operation controller 201, the device component 243 may be a host,and the device component 245 may be a platform processor. The devicecomponent 243, e.g., a host, and the device component 245, e.g., aplatform processor, may be on a same circuit board as the safetyoperation controller 201.

In embodiments, the device component 205, the device component 241, thedevice component 243, or the device component 245 may include one ormore device components selected from a CPU, a DMA, a FRNET, a UART, aGPIO, a SPI, an I2C, a camera, an EMMC, a voltage monitor, a clockmonitor, or a temperature monitor. The the device component 205, thedevice component 241, the device component 243, or the device component245 may be ASIL-D certificated.

In embodiments, the safety operation configuration 233 may include adata structure with various fields, such as an identification (ID), anenable, an error severity, a fail mode, an execution mode, an executionperiod, an execution time limit, a recovery time limit, a threshold, anotification, and any other information or arguments field. For example,the following table may present more details, where B represents a byte,MCU represents a platform processor.

Field Name Size Possible values Description ID 4B Positive integer TheID of the safety operations. Enable 1B [True, False] True if the test isenabled. Error 2B [Critical error, normal The severity of the failure ofthe safety operation, Severity error, warning, may include a criticalerror, a normal error, a information] warning, or an information. FailMode 1B [operational, safe] If operational, then try to recover thefailing safety operation. Recovery 1B [default, user] Recovery bydefault or by user intervention. Execution 2B [Once, Periodic, SoCOnce\Periodic - once or periodic safety operations. Mode event, Key-on,Key-off] SoC event - triggered by SoC by interrupt, e.g. errorcorrection code(ECC) error and parity errors. Key-on\Key-off - runs onlyin the context of tests. Execution 4B Time in milliseconds Valid onlywhen Execution Mode is Periodic Period Execution 4B Time in millisecondsIf this time elapses, notify a failure of the safety Time limitoperation Recovery 4B Time in milliseconds If this time elapses, notifya failure. Time limit Threshold 4B Positive integer If number offailures crosses a Threshold, a host or a MCU will be notified.Notification 2B [HOST, MCU, HOST - the result will be notified to HOSTMainCPU, None] MCU - the result will be notified to MCU MainCPU - - theresult will be notified to MainCPU None - the result is not notified toanybody. Arguments variable [ . . . ] A list of arguments specific tothe safety operation.

As illustrated in FIG. 3, the safety operation configuration 233 and thelist of safety operations 231 may be provided by a first party. Thesafety operation configuration 233 may be used to configure selectedones of the list of safety operations 231 by a second party differentfrom the first party to obtain the configured safety operations 235,which may be stored in the storage 203 as well.

For example, the configured safety operations 235 may include thefollowing security operations, where ID 1 may be an ECC correctableerror, ID 2 may be an ECC uncorrectable error, ID3, ID4, and ID5 may beMBIST.

Fail Execution Exe R-Time ID Enable Severity mode Recovery Mode Periodlimit Notify Arguments 1 True Warning Operational Default SoC event — 50None — 2 True Error Operational Default SoC event — 50 HOST — 3 TrueError Safe User Periodic 150 HOST regular- test 4 True Error Safe UserKey-on — HOST sanity-test 5 True Error Safe User Key-off — HOSTfull-test

In embodiments, the safety operation scheduler 211 may schedule safetyoperations of the configured safety operations 235 to be performed onthe one or more device components, e.g., the device component 205, thedevice component 241, the device component 243, or the device component245. In some embodiments, the safety operation scheduler 211 mayschedule the safety operations of the configured safety operations 235to be performed periodically on the one or more device components, e.g.,the device component 205, the device component 241, the device component243, or the device component 245. The safety operation scheduler 211 mayfurther perform the scheduled safety operations on the one or moredevice components, receive an error message from the one or more devicecomponents, and monitor a failure from the one or more devicecomponents.

In addition, the error handler 213 may respond to the error message,perform recovery from the failure, and notify a host, e.g., the devicecomponent 243, or a platform processor, e.g., the device component 245,the failure based on the error message. In embodiments, the errormessage may have a plurality of severities including a critical error, anormal error, a warning, or an information. The host, e.g., the devicecomponent 243, or the platform processor, e.g., the device component245, may be notified when the error message has a critical error.

FIG. 4 illustrates another example process 400 for safety operations tobe performed by an apparatus for computer assisted or autonomousdriving, in accordance with various embodiments. In embodiments, theprocess 400 may be a process performed by apparatus 100 in FIG. 1 or theapparatus 200 in FIG. 2.

The process 400 may start at an interaction 401. During the interaction401, a safety operation configuration and a list of safety operationsmay be provided by a first party. The list of safety operations may beperformed on one or more device components of a computer assisted orautonomous driving vehicle. For example, at the interaction 401, thesafety operation configuration 233 and the list of safety operations 231may be provided by a first party. The list of safety operations 231 maybe performed on one or more device components of a computer assisted orautonomous driving vehicle, e.g., the device component 205, the devicecomponent 241, the device component 243, or the device component 245.

During an interaction 403, selected ones of the list of safetyoperations may be configured through the safety operation configurationby a second party different from the first party to obtain configuredsafety operations to be performed on the one or more device components.For example, at the interaction 403, selected ones of the list of safetyoperations 231 may be configured through the safety operationconfiguration 233 by a second party different from the first party toobtain configured safety operations 235. The configured safetyoperations 235 may be performed on the one or more device components,e.g., the device component 205, the device component 241, the devicecomponent 243, or the device component 245.

During an interaction 405, the configured safety operations may beperformed by a safety operation controller on the one or more devicecomponents. For example, at the interaction 405, the configured safetyoperations 235 may be performed by the safety operation controller 201on the one or more device components, e.g., the device component 205,the device component 241, the device component 243, or the devicecomponent 245. In some embodiments, the configured safety operations 235may be performed by the safety operation scheduler 211 within the safetyoperation controller 201.

During an interaction 407, a failure from the one or more devicecomponents may be monitored by the safety operation controller. Forexample, at the interaction 407, a failure from the one or more devicecomponents, e.g., the device component 205, the device component 241,the device component 243, or the device component 245, may be monitoredby the safety operation controller 201.

During an interaction 409, an error message from the one or more devicecomponents may be received by the safety operation controller. Forexample, at the interaction 409, an error message from the one or moredevice components, e.g., the device component 205, the device component241, the device component 243, or the device component 245, may bereceived by the safety operation controller 201.

During an interaction 411, the safety operation controller may respondto the error message. For example, at the interaction 411, the safetyoperation controller 201 may respond to the error message.

During an interaction 413, recovery from the failure may be performed bythe safety operation controller. For example, at the interaction 413,recovery from the failure may be performed by the safety operationcontroller 201.

During an interaction 415, a host or a platform processor coupled to thesafety operation controller may be notified by the safety operationcontroller about the failure based on the error message. For example, ahost, e.g., the device component 243, or a platform processor, e.g., thedevice component 245, coupled to the safety operation controller may benotified by the safety operation controller 201 about the failure basedon the error message.

FIG. 5 illustrates an example computer device 500 that may be suitableas a device to practice selected aspects of the present disclosure. Thedevice 500 may be an example of the apparatus 100, or the computerdevice 200, as shown in FIG. 1 and FIG. 2, or a VECD shown in FIG. 7. Asshown, the device 500 may include one or more processors 502, eachhaving one or more processor cores, or and optionally, a hardwareaccelerator 503 (which may be an ASIC or a FPGA). In alternateembodiments, the hardware accelerator 503 may be part of processor 502,or integrated together on a SOC. Additionally, the device 500 mayinclude a memory 504, which may be any one of a number of knownpersistent storage medium, and mass storage 506. In addition, the 500may include input/output devices 508. Furthermore, the device 500 mayinclude communication interfaces 510 and 514. Communication interfaces510 and 514 may be any one of a number of known communicationinterfaces. The elements may be coupled to each other via system bus512, which may represent one or more buses. In the case of multiplebuses, they may be bridged by one or more bus bridges (not shown). Inaddition, the device 500 may include a safety operation controller 501,a device component 505, which may be an example of the safety operationcontroller 101 and the device component 105, or the safety operationcontroller 201, and the device component 205, the device component 241,the device component 243, the device component 245, as shown in FIG. 1and FIG. 2. A list of safety operations 531 and a safety operationconfiguration 533 may be stored in the mass storage 506.

Each of these elements may perform its conventional functions known inthe art. In particular, the safety operation controller 101 may beemployed to store and host execution of programming instructionsimplementing the operations associated with safety operations to beperformed by an apparatus for computer assisted or autonomous driving,as described in connection with FIGS. 1-4, and/or other functions,collectively referred to as computational logic 522 that provides thecapability of the embodiments described in the current disclosure. Thevarious elements may be implemented by assembler instructions supportedby processor(s) 502 or high-level languages, such as, for example, C,that can be compiled into such instructions. Operations associated withsafety operations and configuration of safety operations not implementedin software may be implemented in hardware, e.g., via hardwareaccelerator 503.

The number, capability and/or capacity of these elements 501-533 mayvary, depending on the number of other devices the device 500 isconfigured to support. Otherwise, the constitutions of elements 501-533are known, and accordingly will not be further described.

As will be appreciated by one skilled in the art, the present disclosuremay be embodied as methods or computer program products. Accordingly,the present disclosure, in addition to being embodied in hardware asearlier described, may take the form of an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to as a “circuit,” “module,” or “system.”

Furthermore, the present disclosure may take the form of a computerprogram product embodied in any tangible or non-transitory medium ofexpression having computer-usable program code embodied in the medium.FIG. 6 illustrates an example computer-readable non-transitory storagemedium that may be suitable for use to store instructions that cause anapparatus, in response to execution of the instructions by theapparatus, to practice selected aspects of the present disclosure. Asshown, non-transitory computer-readable storage medium 602 may include anumber of programming instructions 604. Programming instructions 604 maybe configured to enable a device, e.g., device 500, in response toexecution of the programming instructions in a safety operationcontroller, to perform, e.g., various operations associated with thesafety operation controller 101, or the safety operation controller 201,as shown in FIG. 1 and FIG. 2.

In alternate embodiments, programming instructions 604 may be disposedon multiple computer-readable non-transitory storage media 602 instead.In alternate embodiments, programming instructions 604 may be disposedon computer-readable transitory storage media 602, such as, signals. Anycombination of one or more computer usable or computer readablemedium(s) may be utilized. The computer-usable or computer-readablemedium may be, for example but not limited to, an electronic, magnetic,optical, electromagnetic, infrared, or semiconductor system, apparatus,device, or propagation medium. More specific examples (a non-exhaustivelist) of the computer-readable medium would include the following: anelectrical connection having one or more wires, a portable computerdiskette, a hard disk, a random access memory (RAM), a read-only memory(ROM), an erasable programmable read-only memory (EPROM or Flashmemory), an optical fiber, a portable compact disc read-only memory(CD-ROM), an optical storage device, a transmission media such as thosesupporting the Internet or an intranet, or a magnetic storage device.Note that the computer-usable or computer-readable medium could even bepaper or another suitable medium upon which the program is printed, asthe program can be electronically captured, via, for instance, opticalscanning of the paper or other medium, then compiled, interpreted, orotherwise processed in a suitable manner, if necessary, and then storedin a computer memory. In the context of this document, a computer-usableor computer-readable medium may be any medium that can contain, store,communicate, propagate, or transport the program for use by or inconnection with the instruction execution system, apparatus, or device.The computer-usable medium may include a propagated data signal with thecomputer-usable program code embodied therewith, either in baseband oras part of a carrier wave. The computer usable program code may betransmitted using any appropriate medium, including but not limited towireless, wireline, optical fiber cable, RF, etc.

Computer program code for carrying out operations of the presentdisclosure may be written in any combination of one or more programminglanguages, including an object oriented programming language such asJava, Smalltalk, C++ or the like and conventional procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The program code may execute entirely on the user's computer,partly on the user's computer, as a stand-alone software package, partlyon the user's computer and partly on a remote computer or entirely onthe remote computer or server. In the latter scenario, the remotecomputer may be connected to the user's computer through any type ofnetwork, including a local area network (LAN) or a wide area network(WAN), or the connection may be made to an external computer (forexample, through the Internet using an Internet Service Provider).

The present disclosure is described with reference to flowchartillustrations and/or block diagrams of methods, apparatus (systems) andcomputer program products according to embodiments of the disclosure. Itwill be understood that each block of the flowchart illustrations and/orblock diagrams, and combinations of blocks in the flowchartillustrations and/or block diagrams, can be implemented by computerprogram instructions. These computer program instructions may beprovided to a processor of a general purpose computer, special purposecomputer, or other programmable data processing apparatus to produce amachine, such that the instructions, which execute via the processor ofthe computer or other programmable data processing apparatus, createmeans for implementing the functions/acts specified in the flowchartand/or block diagram block or blocks.

These computer program instructions may also be stored in acomputer-readable medium that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablemedium produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide processes for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions. As used herein,“computer-implemented method” may refer to any method executed by one ormore processors, a computer system having one or more processors, amobile device such as a smartphone (which may include one or moreprocessors), a tablet, a laptop computer, a set-top box, a gamingconsole, and so forth.

Embodiments may be implemented as a computer process, a computing systemor as an article of manufacture such as a computer program product ofcomputer readable media. The computer program product may be a computerstorage medium readable by a computer system and encoding a computerprogram instructions for executing a computer process.

The corresponding structures, material, acts, and equivalents of allmeans or steps plus function elements in the claims below are intendedto include any structure, material or act for performing the function incombination with other claimed elements are specifically claimed. Thedescription of the present disclosure has been presented for purposes ofillustration and description, but is not intended to be exhaustive orlimited to the disclosure in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill without departingfrom the scope and spirit of the disclosure. The embodiment are chosenand described in order to best explain the principles of the disclosureand the practical application, and to enable others of ordinary skill inthe art to understand the disclosure for embodiments with variousmodifications as are suited to the particular use contemplated.

FIG. 7 illustrates an environment 700 in which various embodimentsdescribed with references to FIGS. 1-6 may be practiced. Environment 700includes a vehicle 701, a wireless access node 703, and a cloudcomputing service 705 (also referred to as “cloud 705”, “the cloud 705”,and the like). The vehicle 701 may be an ADV having a VECD 711 with asafety operation controller and a safety operation configuration, asillustrated in FIGS. 1-2. For illustrative purposes, the followingdescription is provided deployment scenarios including the vehicle 701in a two dimensional (2D) freeway/highway/roadway environment. However,the embodiments described herein are also applicable to any type ofvehicle, such as trucks, buses, motorcycles, boats or motorboats, and/orany other motorized devices with a safety operation controller and asafety operation configuration, as illustrated in FIGS. 1-2. Forexample, water vehicles such as boats, ferries, barges, hovercrafts,etc., may interact and/or communications in a same or similar manner asthe vehicle 701 (e.g., using V2X circuitry and infrastructure), and suchvehicles may also implement a safety operation controller and a safetyoperation configuration, as illustrated in FIGS. 1-2. The embodimentsdescribed herein may also be applicable to three dimensional (3D)deployment scenarios where the vehicle 701 may be implemented as flyingobjects, such as aircraft, drones, unmanned aerial vehicles (UAVs),and/or to any other like motorized devices.

The vehicle 701 may be any type of motorized vehicle or device used fortransportation of people or goods, which may be equipped with controlsused for driving, parking, passenger comfort and/or safety, etc. Theterms “motor”, “motorized”, etc., as used herein may refer to devicesthat convert one form of energy into mechanical energy, and may includeinternal combustion engines (ICE), compression combustion engines (CCE),electric motors, and hybrids (e.g., including an ICE/CCE and electricmotor(s)). Although FIG. 7 shows only a single vehicle 701, the vehicle701 may represent a plurality of individual motor vehicles of varyingmakes, models, trim, etc., which may be collectively referred to hereinas the “vehicle 701.”

In embodiments, the vehicle 701, as alluded to earlier, may include theVECD 711 (e.g., the apparatus 100 shown and described with regard toFIG. 1 or the apparatus 200 shown in FIG. 2). The VECD 711 may be anytype of computer device that is mounted on, built into, or otherwiseembedded in a vehicle and is capable of performing safety operations bya safety operation controller and a safety operation configuration, asillustrated in FIGS. 1-2. In some embodiments, the VECD 711 may be acomputer device used to control one or more systems of the vehicle 701,such as an ECU, ECM, embedded system, microcontroller, control module,EMS, OBD devices, DME, MDTs, etc.

The VECD 711 may include one or more processors (having one or moreprocessor cores and optionally, one or more hardware accelerators),memory devices, communication devices, etc. that may be configured tocarry out various functions according to the various embodimentsdiscussed here. For example, the VECD 711 may be the computer device 500shown in FIG. 5, and may execute instructions stored in acomputer-readable medium, e.g., the computer-readable medium 602 asshown in FIG. 6, or may be pre-configured with the logic (e.g., withappropriate bit streams, logic blocks, etc.), to perform safetyoperations by a safety operation controller and a safety operationconfiguration, as illustrated in FIGS. 1-2. The various methods,procedures, processes, etc. for safety operations based on safetyoperation configuration is discussed infra with regard to FIGS. 1-6.

The data obtained by the VECD 711 may include sensor data from one ormore sensors embedded in the vehicle 701, data packets from other VECD711 s included in other vehicles 701 (not shown), data packets and/ordata streams from cloud 705 and/or network infrastructure (e.g., corenetwork elements of a cellular communications network, etc.), navigationsignaling/data from on-board navigations systems (e.g., globalnavigation satellite system (GNSS), global positioning system (GPS),etc.), and/or the like. In embodiments, the VECD 711 may also include,or operate in conjunction with communications circuitry and/orinput/output (I/O) interface circuitry in order to obtain the data forthe various sources.

The communications circuitry of the vehicle 701 may communicate with thecloud 705 via the wireless access node 703. The wireless access node 703may be one or more hardware computer devices configured to providewireless communication services to mobile devices (for example, VECD 711in vehicle 701 or some other suitable device) within a coverage area orcell associated with the wireless access node 703. The wireless accessnode 703 may include a transmitter/receiver (or alternatively, atransceiver) connected to one or more antennas, one or more memorydevices, one or more processors, one or more network interfacecontrollers, and/or other like components. The one or moretransmitters/receivers may be configured to transmit/receive datasignals to/from one or more mobile devices via a link (e.g., link 707).Furthermore, one or more network interface controllers may be configuredto transmit/receive with various network elements (e.g., one or moreservers within a core network, etc.) over another backhaul connection(not shown). In embodiments, the VECD 711 may generate and transmit datato the wireless access node 703 over link 707, and the wireless accessnode 703 may provide the data to the cloud 705 over backhaul link 709.Additionally, during operation of the vehicle 701, the wireless accessnode 703 may obtain data intended for the VECD 711 from the cloud 705over link 709, and may provide that data to the VECD 711 over link 707.The communications circuitry in the vehicle 701 may communicate with thewireless access node 703 in accordance with one or more wirelesscommunications protocols as discussed herein.

As an example, the wireless access node 703 may be a base stationassociated with a cellular network (e.g., an eNB in an LTE network, agNB in a new radio access technology (NR) network, a WiMAX base station,etc.), an RSU, a remote radio head, a relay radio device, a smallcellbase station (e.g., a femtocell, picocell, home evolved nodeB (HeNB),and the like), or other like network element. In embodiments where thewireless access node is a base station, the wireless access node 703 maybe deployed outdoors to provide communications for the vehicle 701 whenthe vehicle 701 is operating at large, for example when deployed onpublic roads, streets, highways, etc.

In some embodiments, the wireless access node 703 may be a gateway (GW)device that may include one or more processors, communications systems(e.g., including network interface controllers, one or moretransmitters/receivers connected to one or more antennas, and the like),and computer readable media. In such embodiments, the GW may be awireless access point (WAP), a home/business server (with or withoutradio frequency (RF) communications circuitry), a router, a switch, ahub, a radio beacon, and/or any other like network device. Inembodiments where the wireless access node 703 is a GW, the wirelessaccess node 703 may be deployed in an indoor setting, such as a garage,factory, laboratory or testing facility, and may be used to providecommunications for while parked, prior to sale on the open market, orotherwise not operating at large.

In embodiments, the cloud 705 may represent the Internet, one or morecellular networks, a local area network (LAN) or a wide area network(WAN) including proprietary and/or enterprise networks, Transfer ControlProtocol (TCP)/Internet Protocol (IP)-based network, or combinationsthereof. In such embodiments, the cloud 705 may be associated withnetwork operator who owns or controls equipment and other elementsnecessary to provide network-related services, such as one or more basestations or access points (e.g., wireless access node 703), one or moreservers for routing digital data or telephone calls (for example, a corenetwork or backbone network), etc. Implementations, components, andprotocols used to communicate via such services may be those known inthe art and are omitted herein for the sake of brevity.

In some embodiments, the cloud 705 may be a system of computer devices(e.g., servers, storage devices, applications, etc. within or associatedwith a data center or data warehouse) that provides access to a pool ofcomputing resources. The term “computing resource” may refer to aphysical or virtual component within a computing environment and/orwithin a particular computer device, such as memory space, processortime, electrical power, input/output operations, ports or networksockets, and the like. In these embodiments, the cloud 705 may be aprivate cloud, which offers cloud services to a single organization; apublic cloud, which provides computing resources to the general publicand shares computing resources across all customers/users; or a hybridcloud or virtual private cloud, which uses a portion of resources toprovide public cloud services while using other dedicated resources toprovide private cloud services. For example, the hybrid cloud mayinclude a private cloud service that also utilizes one or more publiccloud services for certain applications or users, such as providingobtaining data from various data stores or data sources. In embodiments,a common cloud management platform (e.g., implemented as various virtualmachines and applications hosted across the cloud 705 and databasesystems) may coordinate the delivery of data to the VECD 711 of vehicle701. Implementations, components, and protocols used to communicate viasuch services may be those known in the art and are omitted herein forthe sake of brevity.

Thus various example embodiments of the present disclosure have beendescribed including, but are not limited to:

Example 1 may include an apparatus for computer assisted or autonomousdriving, comprising: a storage to store a safety operation configurationand a list of safety operations to be performed on one or more devicecomponents of a computer assisted or autonomous driving vehicle, whereinthe safety operation configuration and the list of safety operations areprovided by a first party, the safety operation configuration is used toconfigure selected ones of the list of safety operations by a secondparty different from the first party to obtain configured safetyoperations to be performed on the one or more device components; and asafety operation controller to perform the configured safety operationson the one or more device components in accordance with the configuredsafety operations; wherein the apparatus, including the storage and thesafety operation controller, are disposed in the computer assisted orautonomous driving vehicle.

Example 2 may include the apparatus of example 1 and/or some otherexamples herein, wherein the list of safety operations includes memorybuilt-in-self-test (MBIST) operations, logic built-in-self-test (LBIST)operations, error injection operations, voltage monitoring operations,temperature monitoring operations, clock monitoring operations, softwareredundancy operations, or software test libraries operations.

Example 3 may include the apparatus of example 1 and/or some otherexamples herein, wherein the configured safety operations furtherinclude a configured safety operation added to the list of safetyoperations by the second party using the safety operation configuration.

Example 4 may include the apparatus of example 1 and/or some otherexamples herein, wherein the safety operation configuration is used toturn off safety operations on a device component of the one or moredevice components.

Example 5 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein the safety operation configurationis provided as an application programming interface (API).

Example 6 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein at least some of the one or moredevice components and the safety operation controller are on a samesystem-on-chip, and the at least some of the one or more devicecomponents include one or more intellectual property (IP) cores.

Example 7 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein a device component of the one ormore device components is a host, or a platform processor, and the hostor the platform processor being on a same circuit board as the safetyoperation controller.

Example 8 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein the one or more device componentsinclude one or more device components selected from a central processingunit (CPU), a direct memory access (DMA), a faultRobust network (FRNET),a universal asynchronous receiver-transmitter (UART), a general-purposeinput/output (GPIO), a serial peripheral interface (SPI), aninter-integrated circuit (I2C), a camera, an embedded MultiMediaCard(EMMC), a voltage monitor, a clock monitor, or a temperature monitor;and the one or more device components are Automotive Safety IntegrityLevel D (ASIL-D) certificated.

Example 9 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein the storage is a replaceable flashmemory coupled to the safety operation controller.

Example 10 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein the safety operation controllerincludes a safety operation scheduler and an error handler, and whereinthe safety operation scheduler is to: schedule safety operations of theconfigured safety operations on the one or more device components to beperformed, perform the scheduled safety operations on the one or moredevice components, receive an error message from the one or more devicecomponents, and monitor a failure from the one or more devicecomponents; and the error handler is to: respond to the error message,perform recovery from the failure, and notify a host or a platformprocessor the failure based on the error message.

Example 11 may include the apparatus of example 10 and/or some otherexamples herein, wherein the safety operation scheduler is to schedulethe safety operations of the configured safety operations to beperformed periodically on the one or more device components.

Example 12 may include the apparatus of any one of examples 1-4 and/orsome other examples herein, wherein the safety operation controller isto further: monitor a failure from the one or more device components;receive an error message from the one or more device components; respondto the error message; perform recovery from the failure; and notify ahost or a platform processor the failure based on the error message.

Example 13 may include the apparatus of example 12 and/or some otherexamples herein, wherein the error message has a plurality of severitiesincluding a critical error, a normal error, a warning, or aninformation.

Example 14 may include the apparatus of example 13 and/or some otherexamples herein, wherein the host or the platform processor is notifiedwhen the error message has a critical error.

Example 15 may include a method for safety operations for computerassisted or autonomous driving, comprising: providing, by a first party,a safety operation configuration and a list of safety operations to beperformed on one or more device components of a computer assisted orautonomous driving vehicle; configuring, by a second party differentfrom the first party through the safety operation configuration,selected ones of the list of safety operations to obtain configuredsafety operations to be performed on the one or more device components;performing, by a safety operation controller, the configured safetyoperations on the one or more device components; monitoring, by thesafety operation controller, a failure from the one or more devicecomponents; receiving, by the safety operation controller, an errormessage from the one or more device components; responding, by thesafety operation controller, to the error message; performing, by thesafety operation controller, recovery from the failure; and notifying,by the safety operation controller, a host or a platform processorcoupled to the safety operation controller the failure based on theerror message.

Example 16 may include the method of example 15 and/or some otherexamples herein, wherein the list of safety operations includes memorybuilt-in-self-test (MBIST) operations, logic built-in-self-test (LBIST)operations, error injection operations, voltage monitoring operations,temperature monitoring operations, clock monitoring operations, softwareredundancy operations, or software test libraries operations.

Example 17 may include the method of any one of examples 15-16 and/orsome other examples herein, wherein the configured safety operationsfurther include a configured safety operation added to the list ofsafety operations by the second party using the safety operationconfiguration.

Example 18 may include the method of any one of examples 15-16 and/orsome other examples herein, wherein at least some of the one or moredevice components and the safety operation controller are on a samesystem-on-chip, and the at least some of one or more device componentsinclude one or more intellectual property (IP) cores.

Example 19 may include the method of any one of examples 15-16 and/orsome other examples herein, wherein a device component of the one ormore device components is a host, or a platform processor, the host orthe platform processor being on a same circuit board as the safetyoperation controller, or a software component to be operated on thesafety operation controller.

Example 20 may include the method of any one of examples 15-16 and/orsome other examples herein, wherein the one or more device componentsincludes one or more device components selected from a centralprocessing unit (CPU), a direct memory access (DMA), a faultRobustnetwork (FRNET), a universal asynchronous receiver-transmitter (UART), ageneral-purpose input/output (GPIO), a serial peripheral interface(SPI), an inter-integrated circuit (I2C), a camera, an embeddedMultiMediaCard (EMMC), a voltage monitor, a clock monitor, or atemperature monitor; and the one or more device components areAutomotive Safety Integrity Level D (ASIL-D) certificated.

Example 21 may include an apparatus for computer assisted or autonomousdriving, comprising: a storage to store a safety operation configurationand a list of safety operations to be performed on one or more devicecomponents of a computer assisted or autonomous driving vehicle, whereinthe safety operation configuration and the list of safety operations areprovided by a first party, the safety operation configuration is used toconfigure selected ones of the list of safety operations by a secondparty different from the first party to obtain configured safetyoperations to be performed on the one or more device components; and asafety operation controller to perform the configured safety operationson the one or more device components in accordance with the configuredsafety operations, wherein the safety operation controller includes asafety operation scheduler and an error handler, and wherein the safetyoperation scheduler is to: perform the configured safety operations onthe one or more device components, receive an error message from the oneor more device components, and monitor a failure from the one or moredevice components; and the error handler is to: respond to the errormessage, perform recovery from the failure, and notify a host or aplatform processor the failure based on the error message; wherein theapparatus, including the storage and the safety operation controller,are disposed in the computer assisted or autonomous driving vehicle.

Example 22 may include the apparatus of example 21 and/or some otherexamples herein, wherein the list of safety operations includes memorybuilt-in-self-test (MBIST) operations, logic built-in-self-test (LBIST)operations, error injection operations, voltage monitoring operations,temperature monitoring operations, clock monitoring operations, softwareredundancy operations, or software test libraries operations.

Example 23 may include the apparatus of any one of examples 21-22 and/orsome other examples herein, wherein at least some of the one or moredevice components and the safety operation controller are on a samesystem-on-chip, and the at least some of one or more device componentsinclude one or more intellectual property (IP) cores.

Example 24 may include the apparatus of any one of examples 21-22 and/orsome other examples herein, wherein a device component of the one ormore device components is a host, or a platform processor, the host orthe platform processor being on a same circuit board as the safetyoperation controller, or a software component to be operated on thesafety operation controller.

Example 25 may include the apparatus of any one of examples 21-22 and/orsome other examples herein, wherein the one or more device componentsincludes one or more device components selected from a centralprocessing unit (CPU), a direct memory access (DMA), a faultRobustnetwork (FRNET), a universal asynchronous receiver-transmitter (UART), ageneral-purpose input/output (GPIO), a serial peripheral interface(SPI), an inter-integrated circuit (I2C), a camera, an embeddedMultiMediaCard (EMMC), a voltage monitor, a clock monitor, or atemperature monitor; and the one or more device components areAutomotive Safety Integrity Level D (ASIL-D) certificated.

Example 26 may include one or more computer-readable media havinginstructions for safety operations for computer assisted or autonomousdriving, upon execution of the instructions by one or more processors,to perform the method of any one of examples 15-20.

Example 27 may include an apparatus for safety operations for computerassisted or autonomous driving, comprising: means for providing, by afirst party, a safety operation configuration and a list of safetyoperations to be performed on one or more device components of acomputer assisted or autonomous driving vehicle; means for configuring,by a second party different from the first party through the safetyoperation configuration, selected ones of the list of safety operationsto obtain configured safety operations to be performed on the one ormore device components; means for performing the configured safetyoperations on the one or more device components; means for monitoring afailure from the one or more device components; means for receiving anerror message from the one or more device components; means forresponding to the error message; means for performing recovery from thefailure; and means for notifying a host or a platform processor thefailure based on the error message.

Example 28 may include the apparatus of example 27 and/or some otherexamples herein, wherein the list of safety operations includes memorybuilt-in-self-test (MBIST) operations, logic built-in-self-test (LBIST)operations, error injection operations, voltage monitoring operations,temperature monitoring operations, clock monitoring operations, softwareredundancy operations, or software test libraries operations.

Example 29 may include the apparatus of any one of examples 27-28 and/orsome other examples herein, wherein the configured safety operationsfurther include a configured safety operation added to the list ofsafety operations by the second party using the safety operationconfiguration.

Example 30 may include the apparatus of any one of examples 27-28 and/orsome other examples herein, wherein at least some of the one or moredevice components and the means for performing the configured safetyoperations are on a same system-on-chip, and the at least some of one ormore device components include one or more intellectual property (IP)cores.

Example 31 may include the apparatus of any one of examples 27-28 and/orsome other examples herein, wherein a device component of the one ormore device components is a host, or a platform processor, the host orthe platform processor being on a same circuit board as the means forperforming the configured safety operations, or a software component tobe operated on the means for performing the configured safetyoperations.

Example 32 may include the apparatus of any one of examples 27-28 and/orsome other examples herein, wherein the one or more device componentsincludes one or more device components selected from a centralprocessing unit (CPU), a direct memory access (DMA), a faultRobustnetwork (FRNET), a universal asynchronous receiver-transmitter (UART), ageneral-purpose input/output (GPIO), a serial peripheral interface(SPI), an inter-integrated circuit (I2C), a camera, an embeddedMultiMediaCard (EMMC), a voltage monitor, a clock monitor, or atemperature monitor; and the one or more device components areAutomotive Safety Integrity Level D (ASIL-D) certificated.

Although certain embodiments have been illustrated and described hereinfor purposes of description this application is intended to cover anyadaptations or variations of the embodiments discussed herein.Therefore, it is manifestly intended that embodiments described hereinbe limited only by the claims.

What is claimed is:
 1. An apparatus for computer assisted or autonomousdriving, comprising: a device component disposed in a computer assistedor autonomous driving vehicle; a storage disposed in the vehicle tostore a list of safety operations to be selectively configured andperformed on the device component, and a safety operation configurationto selectively enable and configure a subset of the safety operations toobtain configured safety operations stored in the storage and selectedfor performance on the device component; and a safety operationcontroller disposed in the vehicle to cause the configured safetyoperations to be performed on the device component; wherein toselectively enable and configure the subset of the safety operations toobtain the configured safety operations, the safety operationconfiguration is arranged to configure an enable field of a selected oneof the safety operations to denote the selected safety operation isenabled, and to configure, for each enabled safety operation, possiblevalues for an execution mode, an error severity level, a fail mode, anda notification field, resulting in each of the configured safetyoperations having an identifier to identify the corresponding safetyoperation, an enable field value denoting that the safety operation isenabled, an execution mode value denoting whether the safety operationis to be performed once, periodically, or in response to an event, anerror severity value denoting an error severity level of a failure ofthe safety operation when performed, a fail mode value denoting whetherrecovery is to be attempted on failure of the safety operation whenperformed, and a notification field value denoting a host or processorto be notified of a failure of the safety operation when performed. 2.The apparatus of claim 1, wherein the list of safety operations includesmemory built-in-self-test (MBIST) operations, logic built-in-self-test(LBIST) operations, error injection operations, voltage monitoringoperations, temperature monitoring operations, or clock monitoringoperations.
 3. The apparatus of claim 1, wherein the device componentand the safety operation controller are on a same system-on-chip, andthe device component includes one or more intellectual property (IP)cores.
 4. The apparatus of claim 1, wherein the device component is thehost or processor, and the host or processor is on a same circuit boardas the safety operation controller.
 5. The apparatus of claim 1, whereinthe device component is Automotive Safety Integrity Level D (ASIL-D)certificated.
 6. The apparatus of claim 1, wherein the storage is areplaceable flash memory coupled to the safety operation controller. 7.The apparatus of claim 1, wherein the safety operation controllerincludes a safety operation scheduler and an error handler, and whereinthe safety operation scheduler is to: schedule performance of theconfigured safety operations on the device component, cause thescheduled safety operations to be performed on the device component,receive any error message output by the device component, and monitorfor failure of any of the configured safety operations performed on thedevice component; and the error handler is to: respond to the errormessage or messages, if any, attempt to perform recovery from a failureif detected, and notify the host or processor of the failure.
 8. Theapparatus of claim 1, wherein the safety operation controller is tofurther: monitor for failure of any of the configured safety operationsperformed on the device component; receive any error message output bycomponent; respond to the error message or messages, if any; attempt toperform recovery from a failure, if detected; and notify the host orprocessor of the failure.
 9. The apparatus of claim 1, wherein the errorseverity level is a selected one of a critical error, a normal error, awarning, or an information notice.
 10. The apparatus of claim 1, whereineach of the configured safety operations further includes an executiontime threshold value indicating an execution time limit beyond which thecorresponding configured safety operation is to notify the host orprocessor of the failure.
 11. The apparatus of claim 1, wherein each ofthe configured safety operations further includes a recovery timethreshold value indicating a recovery time limit beyond which thecorresponding configured safety operation is to notify the host orprocessor of the failure.
 12. A method for safety operations forcomputer assisted or autonomous driving, comprising: providing acomputer assisted or autonomous driving (CA/AD) vehicle with a devicecomponent; and storing in a storage of the CA/AD vehicle a list ofsafety operations and a safety operation configuration; wherein thesafety operation configuration is used to enable and configure selectedones of the list of safety operations to obtain configured safetyoperations stored in the storage and selected for performance on thedevice component, including configuring an enable field of a selectedone of the safety operations to denote the selected safety operation isenabled, and configuring, for each enabled safety operation, possiblevalues for an execution mode, an error severity level, a fail mode, anda notification field, resulting in each of the configured safetyoperations having an identifier to identify the corresponding safetyoperation, an enable field value denoting that the safety operation isenabled, an execution mode value denoting whether the safety operationis to be performed once, periodically, or in response to an event, anerror severity value denoting an error severity level of a failure ofthe safety operation when performed, a fail mode value denoting whetherrecovery is to be attempted on failure of the safety operation whenperformed, and a notification field value denoting a host or processoris to be notified of a failure of the safety operation when performed;and providing a safety operation controller of the CA/AD vehicle to:cause the configured safety operations to be performed on the devicecomponent; detect for failure of any of the configured safety operationswhen performed; and notify the host or processor of the failure, ifdetected.
 13. The method of claim 12, wherein the list of safetyoperations includes memory built-in-self-test (MBIST) operations, logicbuilt-in-self-test (LBIST) operations, error injection operations,voltage monitoring operations, temperature monitoring operations, orclock monitoring operations.
 14. The method of claim 12, wherein thedevice component and at least one other device component are on a samesystem-on-chip, and the at least some of device components include oneor more intellectual property (IP) cores.
 15. The method of claim 12,wherein the device component is the host or processor.
 16. The method ofclaim 12, wherein the device component is Automotive Safety IntegrityLevel D (ASIL-D) certificated.
 17. An apparatus for computer assisted orautonomous driving (CA/AD), comprising: a storage disposed in a CA/ADvehicle to store a safety operation configuration and a list of safetyoperations, wherein the safety operation configuration is to be used toenable and configure selected ones of the list of safety operations toobtain configured safety operations for performance on a devicecomponent of the CA/AD vehicle, wherein to selectively enable andconfigure the selected ones of the safety operations to obtain theconfigured safety operations, the safety operation configuration isarranged to configure an enable field of a selected one of the safetyoperations to denote the selected safety operation is enabled, and toconfigure, for each enabled safety operation, possible values for anexecution mode, an error severity level, a fail mode, and a notificationfield, resulting in each of the configured safety operations having anidentifier to identify the corresponding safety operation, an enablefield value denoting that the safety operation is enabled, an executionmode value denoting whether the safety operation is to be performedonce, periodically, or in response to an event, an error severity valuedenoting an error severity level of a failure of the safety operationwhen performed, a fail mode value denoting whether recovery is to beattempted on failure of the safety operation when performed, and anotification field value denoting a host or processor to be notified ofa failure of the safety operation when performed; and a safety operationcontroller disposed in the CA/AD vehicle to cause the configured safetyoperations to be performed on the device component.
 18. The apparatus ofclaim 17, wherein the list of safety operations includes memorybuilt-in-self-test (MBIST) operations, logic built-in-self-test (LBIST)operations, error injection operations, voltage monitoring operations,temperature monitoring operations, or clock monitoring operations. 19.The apparatus of claim 17, wherein the device component and the safetyoperation controller are on a same system-on-chip, and the devicecomponent includes one or more intellectual property (IP) cores.
 20. Theapparatus of claim 17, wherein the device component is the host orprocessor, the host or processor being on a same circuit board as thesafety operation controller.
 21. The apparatus of claim 17, wherein thedevice component is Automotive Safety Integrity Level D (ASIL-D)certificated.
 22. The apparatus of claim 17, wherein each of theconfigured safety operations further includes an execution timethreshold value indicating an execution time limit beyond which thecorresponding configured safety operation is to notify the host orprocessor of the failure.
 23. The apparatus of claim 17, wherein each ofthe configured safety operations further includes a recovery timethreshold value indicating a recovery time limit beyond which thecorresponding configured safety operation is to notify the host orprocessor of the failure.